<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<div th:replace="~{common/common::head}"></div>

<body>
<div class="layuimini-container">
    <div class="layuimini-main">
        <div class="layui-row layui-col-space15">
            <div class="layui-col-md12">
                <fieldset class="layui-elem-field layui-field-title">
                    <legend style="color: rgb(30 159 255)">其他漏洞 - URL重定向</legend>
                    <blockquote class="layui-elem-quote layui-quote-nm"
                                style="font-size: 15px;background-color: #a7deefab;box-shadow: 0 .125rem .25rem rgba(0, 0, 0, .075) !important">
                        <p>
                        <pre>  URL重定向：由于服务端未对传入的跳转地址进行检查和控制，从而导致攻击者可以构造任意一个恶意地址诱导用户跳转至恶意站点。因为是从用户可信站点跳转出去的，用户会比较信任该站点，所以URL跳转漏洞常用于钓鱼攻击、通过转到攻击者精心构造的恶意网站来欺骗用户输入信息，从而盗取用户的账号和密码等敏感信息</pre>
                        <pre>  漏洞场景：登录/登出/注销/错误页面跳转、OAuth第三方登录回调、文件下载，从黑盒的角度上来讲，遇到http(s)://的链接都可以进行Fuzz测试</pre>
                        </p>
                    </blockquote>
                </fieldset>
            </div>
            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-bug">  漏洞环境：基于Spring MVC的重定向方式</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <ul class="layui-tab-title">
                                <li class="layui-this">redirect</li>
                                <li>ModelAndView</li>


                            </ul>
                            <div class="layui-tab-content">
                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" th:action="@{/other/URLRedirect/redirect}" style="display: flex; justify-content: space-between;">
                                            <div style="display: flex; align-items: center;">
                                                <input type="text" name="url" style="width: 300px;" required
                                                       lay-verify="required" value="http://bilibili.com" placeholder="跳转地址" autocomplete="off"
                                                       class="layui-input" id="vul1-SpringMvc-redirect-input">
                                            </div>
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select"
                                                        style="background-color: #5eb878;!important;"
                                                        lay-filter="vul1-SpringMvc-redirect">
                                                    <option value="">示例Payload</option>
                                                    <option value="http://bilibili.com">http://bilibili.com</option>
                                                    <option value="https://blog.csdn.net/weixin_53009585">
                                                        作者博客
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal"
                                                        style="width: 100px; margin-left: 10px;"
                                                        lay-filter="vul1-SpringMvc-redirect" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <!--    ModelAndView-->
                                <div class="layui-tab-item">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" th:action="@{/other/URLRedirect/redirectWithModelAndView}" style="display: flex; justify-content: space-between;">
                                            <div style="display: flex; align-items: center;">
                                                <input type="text" name="url" style="width: 300px;" required
                                                       lay-verify="required" value="http://bilibili.com"  placeholder="跳转地址" autocomplete="off"
                                                       class="layui-input" id="vul1-SpringMvc-ModelAndView-input">
                                            </div>
                                            <div style="display: flex; align-items: center;">
                                                <button class="layui-btn layui-btn-normal"
                                                        style="width: 100px; margin-left: 10px;"
                                                        lay-filter="vul1-SpringMvc-ModelAndVie" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">状态码：
  301:请求的资源已永久移动到新位置
      使用场景：页面永久性迁移
      SEO影响：将旧URL的权重传递给新URL
  302:请求的资源临时位于不同位置
      使用场景：资源临时迁移或负载均衡
      SEO影响：不传递权重，适用于临时重定向</pre>
                                        </div>
                                    </div>
                                </div>

                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code">  缺陷代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="vul1SpringMvcRedirect">
                            </div>
                        </div>
                    </div>

                </div>
            </div>
            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-bug">  漏洞环境：基于Servlet标准的重定向方式</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <ul class="layui-tab-title">
                                <li class="layui-this">setHeader</li>
                                <li>sendRedirect</li>


                            </ul>
                            <div class="layui-tab-content">
                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" th:action="@{/other/URLRedirect/setHeader}" style="display: flex; justify-content: space-between;">
                                            <div style="display: flex; align-items: center;">
                                                <input type="text" name="url" style="width: 300px;" required
                                                       lay-verify="required" value="http://bilibili.com"  placeholder="跳转地址" autocomplete="off"
                                                       class="layui-input" id="vul2-Servlet-redirect-input">
                                            </div>
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select"
                                                        style="background-color: #5eb878;!important;"
                                                        lay-filter="vul2-Servlet-redirect">
                                                    <option value="">示例Payload</option>
                                                    <option value="http://bilibili.com">http://bilibili.com</option>
                                                    <option value="https://blog.csdn.net/weixin_53009585">
                                                        作者博客
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal"
                                                        style="width: 100px; margin-left: 10px;"
                                                        lay-filter="vul2-Servlet-redirect" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-tab-item">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" th:action="@{/other/URLRedirect/sendRedirect}" style="display: flex; justify-content: space-between;">
                                            <div style="display: flex; align-items: center;">
                                                <input type="text" name="url" style="width: 300px;" required
                                                       lay-verify="required" value="http://bilibili.com"  placeholder="跳转地址" autocomplete="off"
                                                       class="layui-input">
                                            </div>
                                            <div style="display: flex; align-items: center;">
                                                <button class="layui-btn layui-btn-normal"
                                                        style="width: 100px; margin-left: 10px;"
                                                        lay-filter="vul2-Servlet-redirect" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">代码审计SINK点：
	redirect、url、redirectUrl、callback、return_url、toUrl、ReturnUrl
fromUrl、redUrl、request、redirect_to、redirect_url、jump、jump_to
target、to、goto、link、linkto、domain、oauth_callback
</pre>
                                        </div>
                                    </div>
                                </div>

                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code">  缺陷代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="vul2ServletRedirect">
                            </div>
                        </div>
                    </div>

                </div>
            </div>

            <div class="layui-col-md12" style="margin-top: 10px">
                <div class="layui-row layui-col-space15">
                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-bug">  漏洞环境：基于Spring注解和状态码的重定向方式</span></h1>
                        <div class="layui-tab layui-tab-brief">
                            <ul class="layui-tab-title">
                                <li class="layui-this">responseEntityRedirect</li>
                                <li>annotationRedirect</li>
                            </ul>
                            <div class="layui-tab-content">
                                <div class="layui-tab-item layui-show">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" th:action="@{/other/URLRedirect/responseEntityRedirect}" style="display: flex; justify-content: space-between;">
                                            <div style="display: flex; align-items: center;">
                                                <input type="text" name="url" style="width: 300px;" required
                                                       lay-verify="required" value="http://bilibili.com"  placeholder="跳转地址" autocomplete="off"
                                                       class="layui-input" id="vul3-Spring-redirect-input">
                                            </div>
                                            <div style="display: flex; align-items: center;">
                                                <select class="layui-form-select"
                                                        style="background-color: #5eb878;!important;"
                                                        lay-filter="vul3-Spring-redirect">
                                                    <option value="">示例Payload</option>
                                                    <option value="http://bilibili.com">http://bilibili.com</option>
                                                    <option value="https://blog.csdn.net/weixin_53009585">
                                                        作者博客
                                                    </option>
                                                </select>
                                                <button class="layui-btn layui-btn-normal"
                                                        style="width: 100px; margin-left: 10px;"
                                                        lay-filter="vul3-Spring-redirect" lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-tab-item">
                                    <blockquote class="layui-elem-quote main_btn">
                                        <form class="layui-form" th:action="@{/other/URLRedirect/annotationRedirect}" style="display: flex; justify-content: space-between;">
                                            <div style="display: flex; align-items: center;">
                                                <input type="text" name="url" style="width: 300px;" required
                                                       lay-verify="required" value="http://bilibili.com"  placeholder="跳转地址" autocomplete="off"
                                                       class="layui-input">
                                            </div>
                                            <div style="display: flex; align-items: center;">
                                                <button class="layui-btn layui-btn-normal"
                                                        style="width: 100px; margin-left: 10px;"
                                                         lay-submit="">
                                                    <span class="iconfont icon-zhihang">Run</span>
                                                </button>
                                            </div>
                                        </form>
                                    </blockquote>
                                </div>

                                <div class="layui-col-md12">
                                    <div class="layui-card">
                                        <div class="layui-card-header"><i class="fa fa-bullhorn icon-tip"></i>tips</div>
                                        <div class="layui-card-body layui-text layadmin-text">
                                            <pre style="color: #28333e;font-size: 15px;">   URL跳转的本质是在服务器端将用户请求的数据进行一次转发，请求可以被重新定向到另一个 URL。这种操作可以分为两种主要类型：服务器端转发和客户端重定向</pre>
                                        </div>
                                    </div>
                                </div>

                            </div>
                        </div>
                    </div>

                    <div class="layui-col-md6">
                        <h1><span class="iconfont icon-code">  缺陷代码</span></h1>
                        <div class="m-auto div-shadow shadow p-3 mb-5 bg-white rounded">
                            <div class="code-editor" id="vul3SpringRedirect">
                            </div>
                        </div>
                    </div>

                </div>
            </div>

        </div>
    </div>
</div>
</div>

<div th:replace="~{common/common::script}"></div>
<script type="text/javascript">
    document.addEventListener("DOMContentLoaded", function () {

        layui.use(['layer', 'miniTab', 'common', 'form'], function () {
            var $ = layui.jquery,
                layer = layui.layer,
                miniTab = layui.miniTab,
                common = layui.common,
                form = layui.form;
            miniTab.listen();
            layer.msg("其他漏洞-URL重定向")

            common.selectListenFun("vul1-SpringMvc-redirect", "vul1-SpringMvc-redirect-input")
            common.selectListenFun("vul2-Servlet-redirect", "vul2-Servlet-redirect-input")
            common.selectListenFun("vul3-Spring-redirect", "vul3-Spring-redirect-input")

            var cmConfig = {
                lineNumbers: true,
                lineWrapping: false,
                indentUnit: 4,
                indentWithTabs: true,
                theme: 'juejin',
                styleActiveLine: {nonEmpty: true},
                fontSize: "18px",
                mode: "text/x-java"
            };

            CodeMirror(document.getElementById("vul1SpringMvcRedirect"), Object.assign({}, cmConfig, {
                value: vul1SpringMvcRedirect
            }));
            CodeMirror(document.getElementById("vul2ServletRedirect"), Object.assign({}, cmConfig, {
                value: vul2ServletRedirect
            }));
            CodeMirror(document.getElementById("vul3SpringRedirect"), Object.assign({}, cmConfig, {
                value: vul3SpringRedirect
            }));
        });
    });
</script>

</body>
</html>
